• Mars
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    You’re thinking about “device-bound passkeys”. Bitwarden and any other third-party credential manager leverages “synced passkeys” because they don’t control the hardware.

    Synced passkeys are actually called out in the FIDO Alliance’s FAQs as preferred since they more closely align with the desired replacement of traditional passwords.

    • Heavybell@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      So it’s just one half of a key pair stored in Bitwarden, then? And you authenticate to Bitwarden as usual?

      • Mars
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Well, it’s a full keypair being stored: Authenticators like Bitwarden need to first provide the public key to the relying party (RP) so the RP can issue the encrypted auth challenge. The challenge then is handed back to the authenticator, user verification happens, then the challenge is signed by the private key and sent back to the RP for verification to complete the auth ceremony.